Six reasons you should not use a private email server

In 2015, 205 billion email messages were sent and received daily, according to the Radicati Group. Messages are sent and received from computers, mobile, tablets and many other devices.

The current US election has seen Hillary Clinton’s presidential race mired in an email scandal involving the user of a personal email sever while she served as secretary of state from 2009 to 2013.

FBI Director James Comey concluded an investigation, stating that while Clinton and her team were “extremely careless in their handling of very sensitive, highly classified information”, there would be no criminal charges. Comey placed more blame on the State Department for its lax information security practices.

While no one succeeded in hacking Clinton’s personal email account, there were attempts. The private server, namely, Clintonmail.com, had to be shut down repeatedly from someone trying to hack into it. Clinton received phishing emails to her private email account. Unnamed attackers were successful in breaking into the personal email accounts of Clinton’s close aides and obtained hundreds of emails exchanged with her personal account. A bigger concern is that a private email server has fewer resources than a State.gov email. Dozens of IT security professionals in various federal agencies including the NSA, monitor for vulnerabilities and breaches in the State Department. This creates and umbrella like intrusion-detection system, significantly more secure from attack than a personal server.

In an interview with Wired, Chris Soghoian, the technologist from the American Civil Liberties Union, said,

“When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.”

Technical staff would need to setup and monitor digital certificates, virus and spam filters, configure devices and firewalls. Sooner or later, the lack of manpower results in mistakes that can be exploited by hackers.

2. Convenience over security

Convenience and control are the main advantages of using a private email server and a separate email address. Clinton said she opted for convenience over security in choosing the private email server. The State Department has a mission to be outward-facing, open and fostering dialogue and communication. Yet, the challenge for any organization is to balance openness with strict security policies that sometimes hamper employee productivity and convenience.

Vinny Troia, CEO, Night Lion Security describes working for Department of Defense and is quoted saying,

“Having to deal with all the security procedures is incredibly inconvenient, but that is the whole point.”

3) Privacy over transparency

Clinton’s use of a private email server allowed her team to control access to all information without backups or archives to government databases. The Federal Records Act requires all communication be recorded on government servers. It also disallows the use of personal email accounts for government business unless emails are copied and archived. A private email server makes it harder to act on Freedom of Information Action Act (FOIA) requests from journalists, investigators, and the general public. As discussed in this article, previous senior government staff and secretaries of state have violated the Federal Records Act, including Albright, Powell, Rice and Kerry.

Organizations must be vigilant in archiving electronic communications of their employees to prevent it from getting into the wrong hands. They must also meet expectations around transparency and access, to safeguard the public.

4) Secure or encrypted email is rare

Most people don’t understand email encryption properly. Encryption is the process of converting data into an unrecognizable form. It is used to protect sensitive information, allowing only authorized parties to view it. Clinton thought that sending email to trusted colleagues made her email secure. She did not realize that the content of the messages was not secure. Venafi, a US computer security firm analyzed Clinton’s private email server and found it was not encrypted or authenticated with a digital certificate for her first three months as Secretary of State. This means the server was vulnerable to snooping, hacking and spoofing, which is common when visiting certain countries. Kevin Bocek, VP of security strategy at Venafi, is quoted in Fortune, saying, “There could easily be a ‘man in the middle’ who could easily intercept communications because they’re not being encrypted.”

5) Physical security, reliability, and redundancy are hard to set up

While Clinton had physical protection with the Secret Service to monitor her home, the average person is vulnerable to an intruder breaking in and stealing the server. On site, fire or natural disasters are concerns if the information is not backed up at a remote secure location. Also, if power goes out and the server does not come back online, then you would be unable to use email, if you were away. The solution depends on how quickly computer professionals diagnose and resolve the issue.

6) Get help and focus on what you do best

The biggest reason to not install your own private email server has to do with increased complexity and continuous learning. New cyber security threats appear daily. The bad guys are constantly inventing new ways to expose victims. The job of setting up and administering technology infrastructure is best left to professionals, where internal and external experts work together towards a common goal.

Summary

It is important for employees to learn a lesson when they make a mistake that compromises security. Hillary Clinton acknowledged this. For business leaders, it is crucial to consult and seek advice from trusted experts about consequences for technology decisions.